Applying IP address filtering to Red Hat Container Registries

Content displayed in the Red Hat Container Catalog is distributed through container image registries managed by Red Hat to which customer systems connect to consume that content. Unlike cdn.redhat.com, Red Hat has not and does not intend to maintain a fixed list of IP address to be used for the container registry endpoints; registry.access.redhat.com or registry.redhat.io. This policy helps us ensure content can be reliably obtained from our container registries without impact due to networking changes, service improvements, or failover events.

Any customer desiring to allowlist access to the Red Hat registry in web proxies or firewalls should not attempt to use a current IP address but instead use the following domains:

About Quay.io

Quay.io leverages Cloudflare, a robust Content Delivery Network (CDN), to optimize the speed and efficiency of image downloads. To enhance this acceleration further, users have the option to allowlist specific elements. Firstly, Quay.io's changing IPs can be allowlisted. These IPs, acquired through "dig +short quay.io," change periodically due to Quay's setup behind an elastic load balancer. By allowlisting these IPs, you ensure uninterrupted downloads, regardless of the image upload method.

Moreover,Cloudflare's domain also plays a pivotal role (cdn.quay.io). Allowlisting the DNS records for both quay.io and cdn.quay.io is recommended, and it's essential to keep these records up to date.

You can also get a cidr list by executing the command:

$ curl --request GET   --url https://api.cloudflare.com/client/v4/ips   --header 'Content-Type: application/json' | jq '.result.ipv4_cidrs[]'

For the specific IP ranges associated with Cloudflare, referring to the link provided Content from www.cloudflare.com is not included.Content from www.cloudflare.com is not included.https://www.cloudflare.com/ips/ is advised.